[RADIATOR] Handler matching multiple Service-Types
Hello, We are using Radiator as Radius-Server for various Switches. We have two different Handlers, one for Cisco and HP gears, and one for Extreme Switches. They are nearly identical, even the reply, except of the Service Type. Cisco Requests have the attribute Service-Type=Call-Check, whereas Extreme switches have Service-Type=Login-User set. Is there a way to write a handler matching both Service-Types without omitting the check? Best Regards Daniel --- Daniel Herrmann Competence Center Lan (CC-LAN) Fraunhofer-Institut für Graphische Datenverarbeitung IGD Fraunhoferstr. 5 | 64283 Darmstadt | Germany Tel +49 6151 155-346 | Fax +49 6151 155-399 daniel.herrm...@igd.fraunhofer.de | www.igd.fraunhofer.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Handler matching multiple Service-Types
Hello Daniel - Something like this should work: Handler Service-Type = /Call-Check|Login-User/ ….. /Handler regards Hugh On 6 May 2013, at 18:20, Herrmann, Daniel daniel.herrm...@igd.fraunhofer.de wrote: Hello, We are using Radiator as Radius-Server for various Switches. We have two different Handlers, one for Cisco and HP gears, and one for Extreme Switches. They are nearly identical, even the reply, except of the Service Type. Cisco Requests have the attribute Service-Type=Call-Check, whereas Extreme switches have Service-Type=Login-User set. Is there a way to write a handler matching both Service-Types without omitting the check? Best Regards Daniel --- Daniel Herrmann Competence Center Lan (CC-LAN) Fraunhofer-Institut für Graphische Datenverarbeitung IGD Fraunhoferstr. 5 | 64283 Darmstadt | Germany Tel +49 6151 155-346 | Fax +49 6151 155-399 daniel.herrm...@igd.fraunhofer.de | www.igd.fraunhofer.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Handler type Stop/Alive distinguished processing
quotacounter \ where username='%n' \ And type = 'Q' #AuthColumnDef 0, Session-Timeout, reply AcctSQLStatement update quotacounter set \ monthlycounter=monthlycounter+%{Acct-Input-Octets} \ where username='%n' \ And Type = 'Q' AuthSelect select totalcounter from quotacounter \ where username='%n' \ And Type = 'Q' AcctSQLStatement update quotacounter set \ totalcounter=totalcounter+%{Acct-Input-Octets} \ where username='%n' \ And Type = 'Q' PostAuthHook file:%D/thomas.pl; /AuthBy /Handler # Accept processing of other accounting requests of the genre start and interim Handler Request-Type = Accounting-Request Realm DEFAULT AuthBy SQL DBSource dbi:mysql:radius DBUsername DBAuth AccountingTable ACCOUNTING AcctColumnDef USERNAME, User-Name AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets AcctColumnDef TIME_STAMP,Event-Timestamp AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port AcctColumnDef ACCTSESSIONID,Acct-Session-Id /AuthBy # Log accounting to a detail file AcctLogFileName %L/detail /Realm /Handler Requesting your kind help, Thomas Kurian IT Security Engineer (B.Tech. -- Electrical) Kuwaiti Canadian Consulting Group (www.kccg.com) T: +965 22435566 F: +965 22415149 E: tho...@kccg.com On 3/27/2013 8:00 PM, radiator-requ...@open.com.au wrote: Send radiator mailing list submissions to radiator@open.com.au To subscribe or unsubscribe via the World Wide Web, visit http://www.open.com.au/mailman/listinfo/radiator or, via email, send a message with subject or body 'help' to radiator-requ...@open.com.au You can reach the person managing the list at radiator-ow...@open.com.au When replying, please edit your Subject line so it is more specific than Re: Contents of radiator digest... Today's Topics: 1. Re: Handler type Stop/Alive distinguished processing (Michael Newton) -- Message: 1 Date: Wed, 27 Mar 2013 09:41:40 -0700 From: Michael Newton mnew...@pofp.com Subject: Re: [RADIATOR] Handler type Stop/Alive distinguished processing To: radiator@open.com.au Message-ID: CADEoLhCoJHu0vQChsC5-czmG24k+kwsSnw=fzydovji-bh-...@mail.gmail.com Content-Type: text/plain; charset=utf-8 On 27 March 2013 09:29, radiator-requ...@open.com.au wrote: My requirement is to process and handle ,Alive and Stop packet separately and the configuration must be called/processed separately ,each time the radiator receives it based on the Acct Status type as described above. Please help me out , i could not find an explanation for this anywhere and i am confused. Please let me know, if you need any more specifics to help me out. There shouldn't be any problem with using Handler Acct-Status-Type=Start, Handler Acct-Status-Type=Alive, or Handler Acct-Status-Type=Stop, it is how we do accounting on our server. Maybe make sure you you are using AuthByPolicy ContinueWhileIgnore if you have problems with subsequent handlers not getting called? If that doesn't help, I'd suggest posting the config that doesn't work instead of the one that does; other people may be able to provide more suggestions. Mike -- next part -- An HTML attachment was scrubbed... URL: http://www.open.com.au/pipermail/radiator/attachments/20130327/ab98603b/attachment-0001.html -- ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator End of radiator Digest, Vol 46, Issue 24 ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Handler type Stop/Alive distinguished processing
On 04/04/2013 01:30 PM, Thomas Kurian wrote: How to resolve this issue , i require both the handlers to process the respective packets contents when each of the kind is received by radiator from the NAS. Please help me out. I think you are missing closing /AuthBy. You have AcctColumnDef followed by /Handler. Add /AuthBy before the /Handler. Handler Acct-Status-Type = Stop AuthBy SQL ... AcctColumnDef NASPORT,NAS-Port,integer /Handler -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Handler type Stop/Alive distinguished processing
this question)_ AcctPort 1813 AuthPort 1812 BindAddress 0.0.0.0 LogDir /var/log/radius DbDir /etc/radiator # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 4 # You will probably want to add other Clients to suit your work site, # one for each NAS you want to work with Client DEFAULT Secret DupInterval 0 /Client Client 10.50.1.4 Secret xxx DupInterval 0 NasType Cisco IgnoreAcctSignature /Client #For strictly processing with Accounting Stop packets Handler Acct-Status-Type = Stop AuthBy SQL Identifier Block-Quota-SQL DBSource dbi:mysql:radius DBUsername DBAuth x AccountingStopsOnly AccountingTable quotacouunter AuthColumnDef username,User-Name,check AuthSelect select monthlycounter from quotacounter \ where username='%n' \ And type = 'Q' #AuthColumnDef 0, Session-Timeout, reply AcctSQLStatement update quotacounter set \ monthlycounter=monthlycounter+%{Acct-Input-Octets} \ where username='%n' \ And Type = 'Q' AuthSelect select totalcounter from quotacounter \ where username='%n' \ And Type = 'Q' AcctSQLStatement update quotacounter set \ totalcounter=totalcounter+%{Acct-Input-Octets} \ where username='%n' \ And Type = 'Q' PostAuthHook file:%D/thomas.pl; /AuthBy /Handler # Accept processing of other accounting requests of the genre start and interim Handler Request-Type = Accounting-Request Realm DEFAULT AuthBy SQL DBSource dbi:mysql:radius DBUsername DBAuth AccountingTable ACCOUNTING AcctColumnDef USERNAME, User-Name AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets AcctColumnDef TIME_STAMP,Event-Timestamp AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port AcctColumnDef ACCTSESSIONID,Acct-Session-Id /AuthBy # Log accounting to a detail file AcctLogFileName %L/detail /Realm /Handler Requesting your kind help, Thomas Kurian IT Security Engineer (B.Tech. -- Electrical) Kuwaiti Canadian Consulting Group (www.kccg.com) T: +965 22435566 F: +965 22415149 E: tho...@kccg.com On 3/27/2013 8:00 PM, radiator-requ...@open.com.au wrote: Send radiator mailing list submissions to radiator@open.com.au To subscribe or unsubscribe via the World Wide Web, visit http://www.open.com.au/mailman/listinfo/radiator or, via email, send a message with subject or body 'help' to radiator-requ...@open.com.au You can reach the person managing the list at radiator-ow...@open.com.au When replying, please edit your Subject line so it is more specific than Re: Contents of radiator digest... Today's Topics: 1. Re: Handler type Stop/Alive distinguished processing (Michael Newton) -- Message: 1 Date: Wed, 27 Mar 2013 09:41:40 -0700 From: Michael Newton mnew...@pofp.com Subject: Re: [RADIATOR] Handler type Stop/Alive distinguished processing To: radiator@open.com.au Message-ID: CADEoLhCoJHu0vQChsC5-czmG24k+kwsSnw=fzydovji-bh-...@mail.gmail.com Content-Type: text/plain; charset=utf-8 On 27 March 2013 09:29, radiator-requ...@open.com.au wrote: My requirement is to process and handle ,Alive and Stop packet separately and the configuration must be called/processed separately ,each time the radiator receives it based on the Acct Status type as described above. Please help me out , i could not find an explanation for this anywhere and i am confused. Please let me know, if you need any more specifics to help me out. There shouldn't be any problem with using Handler Acct-Status-Type=Start, Handler Acct-Status-Type=Alive, or Handler Acct-Status-Type=Stop, it is how we do accounting on our server. Maybe make sure you you are using AuthByPolicy ContinueWhileIgnore if you have problems with subsequent handlers not getting called? If that doesn't help, I'd suggest posting the config that doesn't work instead of the one that does; other people may be able to provide more suggestions. Mike -- next part -- An HTML attachment was scrubbed... URL: http://www.open.com.au/pipermail/radiator/attachments/20130327/ab98603b/attachment-0001.html -- ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator End of radiator Digest, Vol 46, Issue 24 ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo
[RADIATOR] Handler type Stop/Alive distinguished processing
Hi Friends, I have a doubt about handlers. Below is my current configuration , but i have plans to distinguish this configuration as two parts for further development. One part is to be handled by handler clause Handler Acct-Status-Type = Alive and the other part is to be handled by Handler Acct-Status-Type = Stop. Previously i had made a configuration similar to this, but the 2nd defined handler clause in radiator config was never called. Why is this? How is a right way/syntax to implement the above mentioned requirement of mine? I previously got a reply something like first matching clause would be used and others would be ignored . Can you please elaborate this , i did not understand this? My requirement is to process and handle ,Alive and Stop packet separately and the configuration must be called/processed separately ,each time the radiator receives it based on the Acct Status type as described above. Please help me out , i could not find an explanation for this anywhere and i am confused. Please let me know, if you need any more specifics to help me out. _Configuration _ #Foreground #LogStdout AcctPort 1813 AuthPort 1812 BindAddress 0.0.0.0 LogDir /var/log/radius DbDir /etc/radiator # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 4 # You will probably want to add other Clients to suit your work site, Client DEFAULT Secret x DupInterval 0 /Client Client 10.50.1.4 Secret x DupInterval 0 NasType Cisco IgnoreAcctSignature /Client SessionDatabase SQL Identifier tamesql DBSourcedbi:ODBC:IRONMAN DBUsername xx DBAuth x /SessionDatabase Handler Request-Type = Accounting-Request PreProcessingHook file:/etc/radiator/createavpairs.pl AuthBy SQL Identifier thomas DBSource dbi:ODBC:IRONMAN DBUsername DBAuth x #AccountingStopsOnly AccountingTable ACCOUNTING AcctColumnDef USERNAME, User-Name AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef TIME_STAMP,Event-Timestamp,integer-date AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef PARENTSESSIONID,parent-session-id AcctSQLStatement update quotasubscribers set monthlycounter = monthlycounter + 0%{Acct-Output-Octets}, totalcounter = totalcounter + 0%{Acct-Output-Octets}, timestamp = %{Event-Timestamp} \ where username='%n' \ And Type = 'Q' /AuthBy PostAuthHook file:/etc/radiator/rocky.pl #Log accounting to a detail file AcctLogFileName %L/detail /Handler Handler Request-Type=Disconnect-Request AuthBy RADIUS Host 10.50.1.4 Secret xx /Host /AuthBy /Handler -- Thanks Best Regards, Thomas Kurian IT Security Engineer (B.Tech. -- Electrical) Kuwaiti Canadian Consulting Group (www.kccg.com) T: +965 22435566 F: +965 22415149 E: tho...@kccg.com ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Handler type Stop/Alive distinguished processing
On 27 March 2013 09:29, radiator-requ...@open.com.au wrote: My requirement is to process and handle ,Alive and Stop packet separately and the configuration must be called/processed separately ,each time the radiator receives it based on the Acct Status type as described above. Please help me out , i could not find an explanation for this anywhere and i am confused. Please let me know, if you need any more specifics to help me out. There shouldn't be any problem with using Handler Acct-Status-Type=Start, Handler Acct-Status-Type=Alive, or Handler Acct-Status-Type=Stop, it is how we do accounting on our server. Maybe make sure you you are using AuthByPolicy ContinueWhileIgnore if you have problems with subsequent handlers not getting called? If that doesn't help, I'd suggest posting the config that doesn't work instead of the one that does; other people may be able to provide more suggestions. Mike ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Handler type Stop/Alive distinguished processing
AuthByPolicy has to do with the processing of the AuthBy's in Handlers, not the handlers themselves. Radiator will process the Handlers in order they are in the config file, and will only process the first match. that's it. If you want to do multiple things with the same packet, you would have to configure only 1 Handler, and multiple AuthBy's to do more than one thing with a packet. Michael On 27/03/13 12:41 PM, Michael Newton wrote: On 27 March 2013 09:29, radiator-requ...@open.com.au mailto:radiator-requ...@open.com.au wrote: My requirement is to process and handle ,Alive and Stop packet separately and the configuration must be called/processed separately ,each time the radiator receives it based on the Acct Status type as described above. Please help me out , i could not find an explanation for this anywhere and i am confused. Please let me know, if you need any more specifics to help me out. There shouldn't be any problem with using Handler Acct-Status-Type=Start, Handler Acct-Status-Type=Alive, or Handler Acct-Status-Type=Stop, it is how we do accounting on our server. Maybe make sure you you are using AuthByPolicy ContinueWhileIgnore if you have problems with subsequent handlers not getting called? If that doesn't help, I'd suggest posting the config that doesn't work instead of the one that does; other people may be able to provide more suggestions. Mike ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Handler type Stop/Alive distinguished processing
Hi Mike, Thanks for your email. Can you please tell me where exactly i have to add AuthByPolicy ContinueWhileIgnore? Should it go under each handler clause inside Authby sql? _My old config (which didnt work ,Start packets were never getting processed) (this was the config i had problem a long time ago.. which lead me to ask this question)_ AcctPort 1813 AuthPort 1812 BindAddress 0.0.0.0 LogDir /var/log/radius DbDir /etc/radiator # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 4 # You will probably want to add other Clients to suit your work site, # one for each NAS you want to work with Client DEFAULT Secret DupInterval 0 /Client Client 10.50.1.4 Secret xxx DupInterval 0 NasType Cisco IgnoreAcctSignature /Client #For strictly processing with Accounting Stop packets Handler Acct-Status-Type = Stop AuthBy SQL Identifier Block-Quota-SQL DBSource dbi:mysql:radius DBUsername DBAuth x AccountingStopsOnly AccountingTable quotacouunter AuthColumnDef username,User-Name,check AuthSelect select monthlycounter from quotacounter \ where username='%n' \ And type = 'Q' #AuthColumnDef 0, Session-Timeout, reply AcctSQLStatement update quotacounter set \ monthlycounter=monthlycounter+%{Acct-Input-Octets} \ where username='%n' \ And Type = 'Q' AuthSelect select totalcounter from quotacounter \ where username='%n' \ And Type = 'Q' AcctSQLStatement update quotacounter set \ totalcounter=totalcounter+%{Acct-Input-Octets} \ where username='%n' \ And Type = 'Q' PostAuthHook file:%D/thomas.pl; /AuthBy /Handler # Accept processing of other accounting requests of the genre start and interim Handler Request-Type = Accounting-Request Realm DEFAULT AuthBy SQL DBSource dbi:mysql:radius DBUsername DBAuth AccountingTable ACCOUNTING AcctColumnDef USERNAME, User-Name AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets AcctColumnDef TIME_STAMP,Event-Timestamp AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port AcctColumnDef ACCTSESSIONID,Acct-Session-Id /AuthBy # Log accounting to a detail file AcctLogFileName %L/detail /Realm /Handler Requesting your kind help, Thomas Kurian IT Security Engineer (B.Tech. -- Electrical) Kuwaiti Canadian Consulting Group (www.kccg.com) T: +965 22435566 F: +965 22415149 E: tho...@kccg.com On 3/27/2013 8:00 PM, radiator-requ...@open.com.au wrote: Send radiator mailing list submissions to radiator@open.com.au To subscribe or unsubscribe via the World Wide Web, visit http://www.open.com.au/mailman/listinfo/radiator or, via email, send a message with subject or body 'help' to radiator-requ...@open.com.au You can reach the person managing the list at radiator-ow...@open.com.au When replying, please edit your Subject line so it is more specific than Re: Contents of radiator digest... Today's Topics: 1. Re: Handler type Stop/Alive distinguished processing (Michael Newton) -- Message: 1 Date: Wed, 27 Mar 2013 09:41:40 -0700 From: Michael Newton mnew...@pofp.com Subject: Re: [RADIATOR] Handler type Stop/Alive distinguished processing To: radiator@open.com.au Message-ID: CADEoLhCoJHu0vQChsC5-czmG24k+kwsSnw=fzydovji-bh-...@mail.gmail.com Content-Type: text/plain; charset=utf-8 On 27 March 2013 09:29, radiator-requ...@open.com.au wrote: My requirement is to process and handle ,Alive and Stop packet separately and the configuration must be called/processed separately ,each time the radiator receives it based on the Acct Status type as described above. Please help me out , i could not find an explanation for this anywhere and i am confused. Please let me know, if you need any more specifics to help me out. There shouldn't be any problem with using Handler Acct-Status-Type=Start, Handler Acct-Status-Type=Alive, or Handler Acct-Status-Type=Stop, it is how we do accounting on our server. Maybe make sure you you are using AuthByPolicy ContinueWhileIgnore if you have problems with subsequent handlers not getting called? If that doesn't help, I'd suggest posting the config that doesn't work instead of the one that does; other people may be able to provide more suggestions. Mike -- next part -- An HTML attachment was scrubbed... URL: http://www.open.com.au/pipermail/radiator/attachments/20130327/ab98603b/attachment-0001.html
Re: [RADIATOR] Handler type Stop/Alive distinguished processing
AuthByPolicy is only for what to do when you have multiple authby's. you only have 1 per handler here so it's irrelevant. Best to show some debug log of this in action with a start packet to figure out what's going on. the config looks like it should at least handle the start packet. On 27/03/13 03:32 PM, Thomas Kurian wrote: Hi Mike, Thanks for your email. Can you please tell me where exactly i have to add AuthByPolicy ContinueWhileIgnore? Should it go under each handler clause inside Authby sql? _My old config (which didnt work ,Start packets were never getting processed) (this was the config i had problem a long time ago.. which lead me to ask this question)_ AcctPort 1813 AuthPort 1812 BindAddress 0.0.0.0 LogDir /var/log/radius DbDir /etc/radiator # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 4 # You will probably want to add other Clients to suit your work site, # one for each NAS you want to work with Client DEFAULT Secret DupInterval 0 /Client Client 10.50.1.4 Secret xxx DupInterval 0 NasType Cisco IgnoreAcctSignature /Client #For strictly processing with Accounting Stop packets Handler Acct-Status-Type = Stop AuthBy SQL Identifier Block-Quota-SQL DBSource dbi:mysql:radius DBUsername DBAuth x AccountingStopsOnly AccountingTable quotacouunter AuthColumnDef username,User-Name,check AuthSelect select monthlycounter from quotacounter \ where username='%n' \ And type = 'Q' #AuthColumnDef 0, Session-Timeout, reply AcctSQLStatement update quotacounter set \ monthlycounter=monthlycounter+%{Acct-Input-Octets} \ where username='%n' \ And Type = 'Q' AuthSelect select totalcounter from quotacounter \ where username='%n' \ And Type = 'Q' AcctSQLStatement update quotacounter set \ totalcounter=totalcounter+%{Acct-Input-Octets} \ where username='%n' \ And Type = 'Q' PostAuthHook file:%D/thomas.pl; /AuthBy /Handler # Accept processing of other accounting requests of the genre start and interim Handler Request-Type = Accounting-Request Realm DEFAULT AuthBy SQL DBSource dbi:mysql:radius DBUsername DBAuth AccountingTable ACCOUNTING AcctColumnDef USERNAME, User-Name AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets AcctColumnDef TIME_STAMP,Event-Timestamp AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port AcctColumnDef ACCTSESSIONID,Acct-Session-Id /AuthBy # Log accounting to a detail file AcctLogFileName %L/detail /Realm /Handler Requesting your kind help, Thomas Kurian IT Security Engineer (B.Tech. -- Electrical) Kuwaiti Canadian Consulting Group (www.kccg.com) T: +965 22435566 F: +965 22415149 E: tho...@kccg.com On 3/27/2013 8:00 PM, radiator-requ...@open.com.au wrote: Send radiator mailing list submissions to radiator@open.com.au To subscribe or unsubscribe via the World Wide Web, visit http://www.open.com.au/mailman/listinfo/radiator or, via email, send a message with subject or body 'help' to radiator-requ...@open.com.au You can reach the person managing the list at radiator-ow...@open.com.au When replying, please edit your Subject line so it is more specific than Re: Contents of radiator digest... Today's Topics: 1. Re: Handler type Stop/Alive distinguished processing (Michael Newton) -- Message: 1 Date: Wed, 27 Mar 2013 09:41:40 -0700 From: Michael Newton mnew...@pofp.com Subject: Re: [RADIATOR] Handler type Stop/Alive distinguished processing To: radiator@open.com.au Message-ID: CADEoLhCoJHu0vQChsC5-czmG24k+kwsSnw=fzydovji-bh-...@mail.gmail.com Content-Type: text/plain; charset=utf-8 On 27 March 2013 09:29, radiator-requ...@open.com.au wrote: My requirement is to process and handle ,Alive and Stop packet separately and the configuration must be called/processed separately ,each time the radiator receives it based on the Acct Status type as described above. Please help me out , i could not find an explanation for this anywhere and i am confused. Please let me know, if you need any more specifics to help me out. There shouldn't be any problem with using Handler Acct-Status-Type=Start, Handler Acct-Status-Type=Alive, or Handler Acct-Status-Type=Stop, it is how we do accounting on our server. Maybe make sure you you are using AuthByPolicy ContinueWhileIgnore if you have problems with subsequent handlers not getting called? If that doesn't help, I'd suggest posting the config
[RADIATOR] Handler regex for User-Name matching help
I'm trying to match a handler clause when the User-Name attribute is NOT equal to a particular regex statement. User-Name is: CP-7942G-SEP2893FE127C54 My Handler statement that does match the User-Name is: Handler Client-Identifier=SWITCHES, NAS-Port-Type=Ethernet, EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/ Any idea how I can use a regex to match all User-Name values that DO NOT equal /(.+)SEP([0-9a-fA-F]{12})$/ I was hoping I could just do a User-Name != /(.+)SEP([0-9a-fA-F]{12})$/ on the handler line but Radiator doesn't like that syntax. :( Here's what it returns: Fri Sep 10 09:09:09 2010: ERR: Bad attribute=value pair: User-Name != /(.+)SEP([0-9a-fA-F]{12})$/ --greg Gregory A. Fuller - CCNA Network Manager State University of New York at Oswego Phone: (315) 312-5750 http://www.oswego.edu/~gfuller ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Handler regex for User-Name matching help
So after a lot of googling and playing around with different combinations I came up with the following: /^(?!CP-)(?!-SEP([0-9a-fA-F]{12}$))/ It sort of works. It doesn't match when I feed it the username (CP-7942G-SEP2893FE127C54) -- which is exactly what I'm looking for (I don't want it to match). But I get the following when trying other usernames: UsernameCondition Results --- signup doesn't match expected signup-SEP2893FE127C54 doesn't match expected CP-7942G-SEP2893FE127C5 matches expected CP-signup-SEP2893FE127C5matches expected CP-signup matches not expected (should NOT match) As you can tell I'm not a regular expression person. :) Any ideas? --greg ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Handler regex for User-Name matching help
Hello Greg - I tend to prefer Handler's that match, rather than not. So I would do something like this: ….. # deal with phones Handler Client-Identifier=SWITCHES, NAS-Port-Type=Ethernet, EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/ ….. /Handler # deal with whatever else (if required) Handler ….. ….. /Handler ….. # deal with everything else Handler ….. /Handler ….. hope that helps regards Hugh On 10 Sep 2010, at 13:25, Gregory Fuller wrote: So after a lot of googling and playing around with different combinations I came up with the following: /^(?!CP-)(?!-SEP([0-9a-fA-F]{12}$))/ It sort of works. It doesn't match when I feed it the username (CP-7942G-SEP2893FE127C54) -- which is exactly what I'm looking for (I don't want it to match). But I get the following when trying other usernames: Username Condition Results --- signupdoesn't match expected signup-SEP2893FE127C54doesn't match expected CP-7942G-SEP2893FE127C5 matches expected CP-signup-SEP2893FE127C5 matches expected CP-signup matches not expected (should NOT match) As you can tell I'm not a regular expression person. :) Any ideas? --greg ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator NB: Have you read the reference manual (doc/ref.html)? Have you searched the mailing list archive (www.open.com.au/archives/radiator)? Have you had a quick look on Google (www.google.com)? Have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. Includes support for reliable RADIUS transport (RadSec), and DIAMETER translation agent. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
RE: (RADIATOR) Handler SIP Proxy
On Fri, 17 Oct 2003, Frank Danielson wrote: Hi Frank, Thanks for your answer. I will try your solution using a PreClient hook as suggested by Huge. Thanks Frank and Huge. I would use a PreHandler hook in your Client clause to look for the request type and set an appropriate attribute to use in a Handler later. Since you have multiple Digest-Attribute attributes the only way I know of to handle it would be to spool through the incoming request's attrbutes looking for the one you want. You could try something like this- Client 111.222.333.444 Secret somesecret PreHandlerHook sub {my ($r,$value);\ foreach $r (@{${$_[0]}-{Attributes}})\ {\ if ($r-[0] eq Digest-Attributes)\ {\ $value = Radius::AttrVal::pclean($r-[1]);\ ${$_[0]}-add_attr('SIP-Request',$value) if ($value =~ /REGISTER|INVITE/);\ }\ }} /Client Handler SIP-Request=REGISTER /Handler Handler SIP-Request=INVITE /Handler Obviously I have not tested this so proceed at your own risk. Frank Danielson [Infrastructure Architect] voice:407.515.8633 fax:407.515.9001 ClearSky Mobile Media, Inc. 56 E. Pine St. Suite 200 Orlando, FL 32801 USA -Original Message- From: Jesus Rodriguez [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 2:30 PM To: [EMAIL PROTECTED] Subject: (RADIATOR) Handler SIP Proxy Hello, My SIP proxy authenticates REGISTER and INVITE requests against Radiator. I would like to be able to diferentiate between both requests. This is a REGISTER request: Code: Access-Request Identifier: 104 Authentic: 21713430y250D214j212`N\F254{222 Attributes: User-Name = [EMAIL PROTECTED] Digest-Attributes = 1012340002 Digest-Attributes = 113voztele.com Digest-Attributes = 2*3f9032160a04f9a07db6b7431a03c66e63917d8e Digest-Attributes = 417sip:voztele.com Digest-Attributes = 310REGISTER Digest-Response = 5d484ab3e8c3ee3aa8aeb4f7238d9456 Service-Type = SIP SIP-URI-User = 340002 NAS-IP-Address = 192.168.1.34 NAS-Port = 5060 And this is an INVITE request: Code: Access-Request Identifier: 100 Authentic: 230141168k203:}239134139O227]6147' Attributes: User-Name = [EMAIL PROTECTED] Digest-Attributes = 101234 Digest-Attributes = 113voztele.com Digest-Attributes = 2*3f90309d03749b41dfcc0d202bc35f89ebfc9d1c Digest-Attributes = 427sip:[EMAIL PROTECTED] Digest-Attributes = 38INVITE Digest-Response = f398469d53d8eeb47bbde0d45f78583d Service-Type = SIP SIP-URI-User = 34 NAS-IP-Address = 192.168.1.34 NAS-Port = 5060 The only difference between them are these Digest-Attributes: Digest-Attributes = 310REGISTER Digest-Attributes = 38INVITE I've been playing with Handler Digest-Attributes = x where x are different regular expressions but no luck. Is there some way to diferentiate both requests? I have to treat them in a different way because i need to send a reply attribute only for the INVITEs. Thanks in advance. Saludos JesusR. --- Jesus Rodriguez Endercom Comunicaciones, S.L. [EMAIL PROTECTED] http://www.endercom.com Tel. +34 934424293 --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. Saludos JesusR. --- Jesus Rodriguez Endercom Comunicaciones, S.L. [EMAIL PROTECTED] http://www.endercom.com Tel. +34 934424293 --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Handler SIP Proxy
I would use a PreHandler hook in your Client clause to look for the request type and set an appropriate attribute to use in a Handler later. Since you have multiple Digest-Attribute attributes the only way I know of to handle it would be to spool through the incoming request's attrbutes looking for the one you want. You could try something like this- Client 111.222.333.444 Secret somesecret PreHandlerHook sub {my ($r,$value);\ foreach $r (@{${$_[0]}-{Attributes}})\ {\ if ($r-[0] eq Digest-Attributes)\ {\ $value = Radius::AttrVal::pclean($r-[1]);\ ${$_[0]}-add_attr('SIP-Request',$value) if ($value =~ /REGISTER|INVITE/);\ }\ }} /Client Handler SIP-Request=REGISTER /Handler Handler SIP-Request=INVITE /Handler Obviously I have not tested this so proceed at your own risk. Frank Danielson [Infrastructure Architect] voice:407.515.8633 fax:407.515.9001 ClearSky Mobile Media, Inc. 56 E. Pine St. Suite 200 Orlando, FL 32801 USA -Original Message- From: Jesus Rodriguez [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 2:30 PM To: [EMAIL PROTECTED] Subject: (RADIATOR) Handler SIP Proxy Hello, My SIP proxy authenticates REGISTER and INVITE requests against Radiator. I would like to be able to diferentiate between both requests. This is a REGISTER request: Code: Access-Request Identifier: 104 Authentic: 21713430y250D214j212`N\F254{222 Attributes: User-Name = [EMAIL PROTECTED] Digest-Attributes = 1012340002 Digest-Attributes = 113voztele.com Digest-Attributes = 2*3f9032160a04f9a07db6b7431a03c66e63917d8e Digest-Attributes = 417sip:voztele.com Digest-Attributes = 310REGISTER Digest-Response = 5d484ab3e8c3ee3aa8aeb4f7238d9456 Service-Type = SIP SIP-URI-User = 340002 NAS-IP-Address = 192.168.1.34 NAS-Port = 5060 And this is an INVITE request: Code: Access-Request Identifier: 100 Authentic: 230141168k203:}239134139O227]6147' Attributes: User-Name = [EMAIL PROTECTED] Digest-Attributes = 101234 Digest-Attributes = 113voztele.com Digest-Attributes = 2*3f90309d03749b41dfcc0d202bc35f89ebfc9d1c Digest-Attributes = 427sip:[EMAIL PROTECTED] Digest-Attributes = 38INVITE Digest-Response = f398469d53d8eeb47bbde0d45f78583d Service-Type = SIP SIP-URI-User = 34 NAS-IP-Address = 192.168.1.34 NAS-Port = 5060 The only difference between them are these Digest-Attributes: Digest-Attributes = 310REGISTER Digest-Attributes = 38INVITE I've been playing with Handler Digest-Attributes = x where x are different regular expressions but no luck. Is there some way to diferentiate both requests? I have to treat them in a different way because i need to send a reply attribute only for the INVITEs. Thanks in advance. Saludos JesusR. --- Jesus Rodriguez Endercom Comunicaciones, S.L. [EMAIL PROTECTED] http://www.endercom.com Tel. +34 934424293 --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Handler SIP Proxy
Hello Frank, Hello Jesus - Frank is quite correct (thanks as always). If you have multiple Client clauses you might consider using a PreClientHook instead. And I usually keep my hook code in seperate files - see the examples in goodies/hooks.txt. regards Hugh On Saturday, Oct 18, 2003, at 05:52 Australia/Melbourne, Frank Danielson wrote: I would use a PreHandler hook in your Client clause to look for the request type and set an appropriate attribute to use in a Handler later. Since you have multiple Digest-Attribute attributes the only way I know of to handle it would be to spool through the incoming request's attrbutes looking for the one you want. You could try something like this- Client 111.222.333.444 Secret somesecret PreHandlerHook sub {my ($r,$value);\ foreach $r (@{${$_[0]}-{Attributes}})\ {\ if ($r-[0] eq Digest-Attributes)\ {\ $value = Radius::AttrVal::pclean($r-[1]);\ ${$_[0]}-add_attr('SIP-Request',$value) if ($value =~ /REGISTER|INVITE/);\ }\ }} /Client Handler SIP-Request=REGISTER /Handler Handler SIP-Request=INVITE /Handler Obviously I have not tested this so proceed at your own risk. Frank Danielson [Infrastructure Architect] voice:407.515.8633 fax:407.515.9001 ClearSky Mobile Media, Inc. 56 E. Pine St. Suite 200 Orlando, FL 32801 USA -Original Message- From: Jesus Rodriguez [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 2:30 PM To: [EMAIL PROTECTED] Subject: (RADIATOR) Handler SIP Proxy Hello, My SIP proxy authenticates REGISTER and INVITE requests against Radiator. I would like to be able to diferentiate between both requests. This is a REGISTER request: Code: Access-Request Identifier: 104 Authentic: 21713430y250D214j212`N\F254{222 Attributes: User-Name = [EMAIL PROTECTED] Digest-Attributes = 1012340002 Digest-Attributes = 113voztele.com Digest-Attributes = 2*3f9032160a04f9a07db6b7431a03c66e63917d8e Digest-Attributes = 417sip:voztele.com Digest-Attributes = 310REGISTER Digest-Response = 5d484ab3e8c3ee3aa8aeb4f7238d9456 Service-Type = SIP SIP-URI-User = 340002 NAS-IP-Address = 192.168.1.34 NAS-Port = 5060 And this is an INVITE request: Code: Access-Request Identifier: 100 Authentic: 230141168k203:}239134139O227]6147' Attributes: User-Name = [EMAIL PROTECTED] Digest-Attributes = 101234 Digest-Attributes = 113voztele.com Digest-Attributes = 2*3f90309d03749b41dfcc0d202bc35f89ebfc9d1c Digest-Attributes = 427sip:[EMAIL PROTECTED] Digest-Attributes = 38INVITE Digest-Response = f398469d53d8eeb47bbde0d45f78583d Service-Type = SIP SIP-URI-User = 34 NAS-IP-Address = 192.168.1.34 NAS-Port = 5060 The only difference between them are these Digest-Attributes: Digest-Attributes = 310REGISTER Digest-Attributes = 38INVITE I've been playing with Handler Digest-Attributes = x where x are different regular expressions but no luck. Is there some way to diferentiate both requests? I have to treat them in a different way because i need to send a reply attribute only for the INVITEs. Thanks in advance. Saludos JesusR. --- Jesus Rodriguez Endercom Comunicaciones, S.L. [EMAIL PROTECTED] http://www.endercom.com Tel. +34 934424293 --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler question
Hello guys, I have some questions, about Handler behaviour. First question, is whether Handlers support regular expression syntax, like Realm does? In section 6.16 in the manual, there isn't any mentioning about that.. but as far as I'm concerned, I think it should be supported - but I would like confirmation. ;) I don't want to do any regexp matching against the name of the attributes, but rather against the attribute values (something like Handler Called-Id = /(12345|54321)/i, User-Realm = /(this|that)/i). Second question: Realm supersedes Handler definitions in the configuration file, and Handlers get processed sequentially.. but what happens, if a request matches 2 handlers, like in the following case: my request = [EMAIL PROTECTED] (Client-Id: 1.1.1.1) Handler User-Realm = /WHATEVER/i, Client-Id = /1\.1\.1\.1/ ... /Handler Handler User-Realm = /WHATEVER/i ... /Handler The request will match the first handler, but what happens if the AuthBy fails at that point? Will it still continue to the next Handler, or will it immediately send an Access-Reject? Thanks! -Andy -- Andy De Petter - Expert IT Analyst - [EMAIL PROTECTED] Belgacom ANS/EIS/ISA - Carlistraat 2 - 1140 Brussels (Belgium) Head office: Koning Albert II Laan 27 - 1030 Brussels (Belgium) Tel +32 (0)2 7061170 - Fax +32 (0)2 7061150 - ICQ #1548957 *** DISCLAIMER *** This e-mail and any attachments thereto may contain information, which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by persons other than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer. Thank you for your cooperation. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Handler question
Hello Andy - Yes you can use regular expressions with Handlers, and the first match is the only match. If a request can match multiple Handlers, it will only be processed by the first one that matches. Therefore the more specific Handlers must appear before the more general Handlers in the list. regards Hugh On Thursday, Jul 10, 2003, at 18:21 Australia/Melbourne, Andy De Petter wrote: Hello guys, I have some questions, about Handler behaviour. First question, is whether Handlers support regular expression syntax, like Realm does? In section 6.16 in the manual, there isn't any mentioning about that.. but as far as I'm concerned, I think it should be supported - but I would like confirmation. ;) I don't want to do any regexp matching against the name of the attributes, but rather against the attribute values (something like Handler Called-Id = /(12345|54321)/i, User-Realm = /(this|that)/i). Second question: Realm supersedes Handler definitions in the configuration file, and Handlers get processed sequentially.. but what happens, if a request matches 2 handlers, like in the following case: my request = [EMAIL PROTECTED] (Client-Id: 1.1.1.1) Handler User-Realm = /WHATEVER/i, Client-Id = /1\.1\.1\.1/ ... /Handler Handler User-Realm = /WHATEVER/i ... /Handler The request will match the first handler, but what happens if the AuthBy fails at that point? Will it still continue to the next Handler, or will it immediately send an Access-Reject? Thanks! -Andy -- Andy De Petter - Expert IT Analyst - [EMAIL PROTECTED] Belgacom ANS/EIS/ISA - Carlistraat 2 - 1140 Brussels (Belgium) Head office: Koning Albert II Laan 27 - 1030 Brussels (Belgium) Tel +32 (0)2 7061170 - Fax +32 (0)2 7061150 - ICQ #1548957 *** DISCLAIMER *** This e-mail and any attachments thereto may contain information, which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by persons other than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer. Thank you for your cooperation. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler or Realm
Hi, I am now using Radiator with a single default-realm for 4 different Client-sets. I use a rewrite username to strip off the realm if a client provides it. I now want to split the authentication to be able to use 2 separate Online-algorithms. What do you propose I use, A Handler or 2 different realms with a default-realm in the client-clause? Or can a handler trigger on the client used? TX, Herman
Re: (RADIATOR) Handler or Realm
Use handlers, never use realms.. Handlers can do everything that realms can do and more. Bret Herman verschooten wrote: Hi, I am now using Radiator with a single default-realm for 4 different Client-sets. I use a rewrite username to strip off the realm if a client provides it. I now want to split the authentication to be able to use 2 separate Online-algorithms. What do you propose I use, A Handler or 2 different realms with a default-realm in the client-clause? Or can a handler trigger on the client used? TX, Herman -- ~~~ Bret Jordan Dean's Office Computer Administrator College of Engineering 801.585.3765 University of Utah [EMAIL PROTECTED] ~~~ === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Handler or Realm
Hello Bret, Hello Herman - As Bret says, Realms are a subset of Handlers, but they are also much more efficient. A Realm is selected by doing a table lookup on the specified string, whereas the list of Handlers is evaluated in the order that they appear in the configuration file. In both cases the first match is the only match. In general, a simple configuration based on Realms is very easy to understand and very efficient. It is certainly true that Handlers are far more flexible, but you probably don't want hundreds of Handlers in your configuration file. In Herman's case, I generally suggest using Identifiers in the Client clauses and Handlers to suit: # define Client clauses Client 1.1.1.1 Identifier SomeTag /Client Client 2.2.2.2 Identifier SomeTag /Client Client 3.3.3.3 Identifier AnotherTag /Client .. # define Handlers Handler Client-Identifier = SomeTag . /Handler Handler Client-Identifier = AnotherTag . /Handler . On Tuesday, Jul 1, 2003, at 04:14 Australia/Melbourne, Bret Jordan wrote: Use handlers, never use realms.. Handlers can do everything that realms can do and more. Bret Herman verschooten wrote: Hi, I am now using Radiator with a single default-realm for 4 different Client-sets. I use a rewrite username to strip off the realm if a client provides it. I now want to split the authentication to be able to use 2 separate Online-algorithms. What do you propose I use, A Handler or 2 different realms with a default-realm in the client-clause? Or can a handler trigger on the client used? TX, Herman -- ~~~ Bret Jordan Dean's Office Computer Administrator College of Engineering 801.585.3765 University of Utah [EMAIL PROTECTED] ~~~ === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler Acct-Status-Type=
Hello. I attempt to update to 3.5 from 3.1 and have problem. The handler Handler Acct-Status-Type= /Handler is not work in 3.5. :-( All packets isn't agree to this handler. I use this for process Access-Request packets. Separately I use Handler Acct-Status-Type=/Start|Stop/ /Handler for process Accounting-Request packets Is whis bug or new future ? :-) -- Regards, Sergey Afonin [EMAIL PROTECTED] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Handler Acct-Status-Type=
Hello Sergey - I would suggest you do this: Handler Acct-Status-Type=/Start|Stop/ /Handler Handler /Handler The Handler clause will catch everything not processed by the previous Handlers and it will be much faster. regards Hugh On Monday, Mar 31, 2003, at 20:15 Australia/Melbourne, Sergey Y. Afonin wrote: Hello. I attempt to update to 3.5 from 3.1 and have problem. The handler Handler Acct-Status-Type= /Handler is not work in 3.5. :-( All packets isn't agree to this handler. I use this for process Access-Request packets. Separately I use Handler Acct-Status-Type=/Start|Stop/ /Handler for process Accounting-Request packets Is whis bug or new future ? :-) -- Regards, Sergey Afonin [EMAIL PROTECTED] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler for capturing 151 at the end of the Called-Station-Id
Title: Message Hey Guys, Just a quick check.. How would I write a handler to capture all numbers ending in a particular suffix? Handler Called-Station-Id=/151$/ ? Obviously 151 is quite small and likely to appear in the middle of parts of other numbers... Thus has to be matched on the end of the line. Thanks Martin Edge Martin EdgeSystems/Applications EngineerKBS InternetPh: 1300 727 205Web: http://www.kbs.net.au/Wholesale: http://xray.kbs.net.au/Email: [EMAIL PROTECTED]
Re: (RADIATOR) Handler for capturing 151 at the end of the Called-Station-Id
Hello Martin - Yes this is correct - although you should always do some testing to verify correct operation. Also note that Handlers are evaluated in the order they appear in the configuration file, so the more specific must appear before the more general. regards Hugh On Monday, Mar 31, 2003, at 12:57 Australia/Melbourne, Martin Edge wrote: Hey Guys, Just a quick check.. How would I write a handler to capture all numbers ending in a particular suffix? Handler Called-Station-Id=/151$/> ? Obviously 151 is quite small and likely to appear in the middle of parts of other numbers... Thus has to be matched on the end of the line. Thanks Martin Edge Martin Edge Systems/Applications Engineer KBS Internet Ph: 1300 727 205 Web: http://www.kbs.net.au/ Wholesale: http://xray.kbs.net.au/ Email: [EMAIL PROTECTED] NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
(RADIATOR) Handler
Hould would I do something like this I would like to use a handler online if handler 1 Client-Identifer = Comindico NAS-IP-Address = 203.194.30.244 /handler handler 2 Client-Identifer = Comindico NAS-IP-Address != 203.194.30.244 NAS-IP-Address != 203.222.153.14 /handler handler 3 Client-Identifer = Max NAS-IP-Address = 203.222.153.14 /handler I have the handlers for each but am now lost as to how you use multiple clauses in a handler or even if you can... - Chris Kay (Systems Development) Techex Communications Website: www.techex.com.au Email: [EMAIL PROTECTED] Telephone: 1300 88 111 2 - Fax: 1300 882 221 - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Handler
Hello Chris - You should set up the Identifiers in your Client clauses appropriately, then use something like this: # define Client clauses Client Identifier Comindico-Whatever /Client Client Identifier Comindico-SomethingElse /Client . # define AuthBy clauses AuthBy Identifier CheckUser /AuthBy . # define Handlers Handler Client-Identifier = Comindico-Whatever AuthBy CheckUser /Handler Handler Client-Identifier = Comindico-SomethingElse AuthBy CheckUser /Handler . regards Hugh On Tuesday, Jan 14, 2003, at 17:40 Australia/Melbourne, Chris Kay wrote: Hould would I do something like this I would like to use a handler online if handler 1 Client-Identifer = Comindico NAS-IP-Address = 203.194.30.244 /handler handler 2 Client-Identifer = Comindico NAS-IP-Address != 203.194.30.244 NAS-IP-Address != 203.222.153.14 /handler handler 3 Client-Identifer = Max NAS-IP-Address = 203.222.153.14 /handler I have the handlers for each but am now lost as to how you use multiple clauses in a handler or even if you can... - Chris Kay (Systems Development) Techex Communications Website: www.techex.com.au Email: [EMAIL PROTECTED] Telephone: 1300 88 111 2 - Fax: 1300 882 221 - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler Called-Station-Id SQL
Hello All, We have a proxy radius server and we want to have a table in mysql where we can have a list of telephone numbers that are not permitted to authenticate. Normally I would just use, Handler Called-Station-Id = 029497 IgnoreAuth IgnoreAcct /Handler However the list of users is now growing and I do not wish to add these statements for the many users we wish to block. Attached is our radius.cfg file. Could anyone please tell me the best method of achieving the above? Thanks. Regards, Rabbie. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler working now.... but ;-)
Ok.. With the awesome help of Hugh my handler is working fine. But. my SessionDatabase is still getting both accounting data. Can I move the below into the main Handler or is there something else to address this? #This keeps track of who is online SessionDatabase SQL Identifier SDB1 DBSource dbi:mysql:x:x DBUsername radius DBAuth t3ch3xAuTh AddQuery insert into online (acct_handle,nas_id,online_nasport,online_sessionid,online_date,online_ipaddress,online_servicetype,online_calling_station,online_called_station,online_key) values ('%n','%N','%{NAS-Port}','%{Acct-Session-Id}',from_unixtime(%{Timestamp}),'%{Framed-IP-Address}','%{Service-Type}','%{Calling-Station-Id}','%{Called-Station-Id}','%{Ascend-Session-Svr-Key}') DeleteQuery delete from online where acct_handle = '%n' and nas_id = '%N' and online_nasport = %{NAS-Port} ClearNasQuery delete from online where nas_id = '%N' CountQuery select nas_id,online_nasport,online_sessionid from online where acct_handle = '%n' /SessionDatabase -- - | Skeeve Stevens url: http://www.skeeve.org/ | | email:[EMAIL PROTECTED]/ url: http://www.eIntellego.org/ | - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Handler working now.... but ;-)
Hello Skeve - Try something like this (note the Handler defintion below also): # define Session Databases SessionDatabase SQL Identifier SQLSDB /SessionDatabase SessionDatabase NULL Identifier NULLSDB . /SessionDatabase # define Handlers Handler Request-Type = Accounting-Request, NAS-Port-Type = Async # use NULL session database SessionDatabase NULLSDB AuthBy INTERNAL AcctResult ACCEPT /AuthBy . /Handler Handler # use SQL session database SessionDatabase SQLSDB . /Handler regards Hugh On Friday, September 20, 2002, at 01:44 PM, Skeeve Stevens wrote: Ok.. With the awesome help of Hugh my handler is working fine. But. my SessionDatabase is still getting both accounting data. Can I move the below into the main Handler or is there something else to address this? #This keeps track of who is online SessionDatabase SQL Identifier SDB1 DBSource dbi:mysql:x:x DBUsername radius DBAuth t3ch3xAuTh AddQuery insert into online (acct_handle,nas_id,online_nasport,online_sessionid,online_date,online_ ipaddress,online_servicetype,online_calling_station,online_called_stati on,online_key) values ('%n','%N','%{NAS-Port}','%{Acct-Session- Id}',from_unixtime(%{Timestamp}),'%{Framed-IP-Address}','%{Service- Type}','%{Calling-Station-Id}','%{Called-Station-Id}','%{Ascend- Session-Svr-Key}') DeleteQuery delete from online where acct_handle = '%n' and nas_id = '%N' and online_nasport = %{NAS-Port} ClearNasQuery delete from online where nas_id = '%N' CountQuery select nas_id,online_nasport,online_sessionid from online where acct_handle = '%n' /SessionDatabase -- - | Skeeve Stevens url: http://www.skeeve.org/ | | email:[EMAIL PROTECTED]/ url: http://www.eIntellego.org/ | - === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler clause attributes
Hi Hugh, Hi All, Please it there somewhere i can get a list of all the attributes that can go into the Handler clause ( Handler attributes= ) and their proper name and format of their values? Regards, Tunde Itayemi.
Re: (RADIATOR) Handler question
Hello Anton - You are usually better to do something like this: # define AuthBy clauses AuthBy ... Identifier DoSomething . /AuthBy AuthBy Identifier DoSomethingElse . /AuthBy AuthBy GROUP Identifier DoEverything AuthByPolicy AuthBy DoSomething AuthBy DoSomethingElse . /AuthBy . # define Handlers Handler Called-Station-Id=678771 AuthBy DoEverything . /Handler Handler Realm=open.com.au AuthBy DoEverything . /Handler This is just an example, but you should get the idea. regards Hugh On Sat, 27 Jul 2002 02:58, Anton Krall wrote: Guys.. is there a way to make a handler work in an OR fashion instead of AND? Like Handler Called-Station-Id=678771,Realm=open.com.au this would suggest Caler and Realm is there a way to make it Called OR Realm? Thx! Saludos Anton Krall Director de Tecnología Inter.net México / Panamá Tel; 5241-7609 Directo Tel: 5241-7600 Conmutador Celular: 0445-105-5160 ICQ: 4979450 email: [EMAIL PROTECTED] web: http://www.mx.inter.net Outside Mexico: Office: +52(555)241-7609 PBX: +52(555)241-7600 Mobile: +52(555)105-5160 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.377 / Virus Database: 211 - Release Date: 7/15/2002 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler w/ AddToReply question
I'm trying to use Radiator 2.19 and Handlers to configure some Ascend-Data-Filter attributes to our roaming partners. I've added the following to my config file: Handler Client-Identifier = RoamingPartner AddToReply =Ascend-Data-Filter = ip in forward tcp est,\ Ascend-Data-Filter = ip in forward dstip X.X.X.X/YY,\ Ascend-Data-Filter = ip in forward dstip Z.Z.Z.Z/YY,\ Ascend-Data-Filter = ip in drop tcp dstport 25,\ Ascend-Data-Filter = ip in forward /Handler Where the X.X.X.X and Z.Z.Z.Z are valid IP blocks. However, I'm getting a message that AddToReply is an unknown option. After this Handler, I have a catch-all Handler in which the actual authentication is done, I would prefer to have this Handler come after the initial authentication and reply is built, but the idea is to have more specific Handlers come first. So...what am I missing? :) -- Robert G. Fisher Sitestar.net, Inc. System Engineer (276) 666-9533 x 116 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Handler w/ AddToReply question
I believe that AddToReply is an AuthBy attribute, and not a Handler attribute (in the docs, 6.17.8) -peter On Tue, 2002-02-12 at 06:00, Robert G. Fisher wrote: I'm trying to use Radiator 2.19 and Handlers to configure some Ascend-Data-Filter attributes to our roaming partners. I've added the following to my config file: Handler Client-Identifier = RoamingPartner AddToReply =Ascend-Data-Filter = ip in forward tcp est,\ Ascend-Data-Filter = ip in forward dstip X.X.X.X/YY,\ Ascend-Data-Filter = ip in forward dstip Z.Z.Z.Z/YY,\ Ascend-Data-Filter = ip in drop tcp dstport 25,\ Ascend-Data-Filter = ip in forward /Handler Where the X.X.X.X and Z.Z.Z.Z are valid IP blocks. However, I'm getting a message that AddToReply is an unknown option. After this Handler, I have a catch-all Handler in which the actual authentication is done, I would prefer to have this Handler come after the initial authentication and reply is built, but the idea is to have more specific Handlers come first. So...what am I missing? :) -- Robert G. Fisher Sitestar.net, Inc. System Engineer (276) 666-9533 x 116 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Peter Moody Systems Administrator [EMAIL PROTECTED] :wq === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Handler w/ AddToReply question
Hello Robert - On Wed, 13 Feb 2002 01:00, Robert G. Fisher wrote: I'm trying to use Radiator 2.19 and Handlers to configure some Ascend-Data-Filter attributes to our roaming partners. I've added the following to my config file: Handler Client-Identifier = RoamingPartner AddToReply =Ascend-Data-Filter = ip in forward tcp est,\ Ascend-Data-Filter = ip in forward dstip X.X.X.X/YY,\ Ascend-Data-Filter = ip in forward dstip Z.Z.Z.Z/YY,\ Ascend-Data-Filter = ip in drop tcp dstport 25,\ Ascend-Data-Filter = ip in forward /Handler Where the X.X.X.X and Z.Z.Z.Z are valid IP blocks. However, I'm getting a message that AddToReply is an unknown option. After this Handler, I have a catch-all Handler in which the actual authentication is done, I would prefer to have this Handler come after the initial authentication and reply is built, but the idea is to have more specific Handlers come first. So...what am I missing? :) The first match on a Handler clause is the only match - Radiator only ever executes a single Handler per request. Also, AddToReply is an AuthBy parameter, not a Handler parameter. You will need to use different AuthBy clauses in your Handlers to achieve what you want. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) handler matching
Hello Billy - On Monday 24 September 2001 14:20, Billy Li wrote: Dear All, I have face a problem that I use MAX TNT to connect with the radiator, now, several problem exist ... 1. when I enable DNIS require, I can rather put the two handler in the cfg file like that ... handler called_station_id = AuthBy TEST /AuthBy /handler handler called_station_id = , calling_station_id = AuthBy FILE Filename x /AuthBy /handler this would make when the called ID =, it will only choice the least match handler to handle the request ... can I make it use the Max match to handle the request so that I can auth by called-station, calling station and user/pass ?? All you have to do is reverse the order of the Handlers. Handler Called-Station-Id = , Calling-Station-Id = AuthBy FILE Filename x /AuthBy /Handler Handler Called-Station-Id = AuthBy TEST /AuthBy /Handler 2. when I enable the clid-auth-mode = clid-first in the MAX TNT, I modify the config file like that Handler Called-Station-Id = AuthBy FILE Filename /etc/users AddToReply Service-Type=Framed-User,Framed-Protocol=PPP /AuthBy /Handler and in /etc/users, I set yyy Password = Ascend-CLID Ascend-Require-Auth = Require-Auth, as I have set Require-Auth in the users file, but whatever I type in the users file, it can let me in anyone have suggestion for me ?? I don't know how the Ascend Require-Auth is supposed to work. Anyone else? regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) handler matching
Dear All, I have face a problem that I use MAX TNT to connect with the radiator, now, several problem exist ... 1. when I enable DNIS require, I can rather put the two handler in the cfg file like that ... handler called_station_id = AuthBy TEST /AuthBy /handler handler called_station_id = , calling_station_id = AuthBy FILE Filename x /AuthBy /handler this would make when the called ID =, it will only choice the least match handler to handle the request ... can I make it use the Max match to handle the request so that I can auth by called-station, calling station and user/pass ?? 2. when I enable the clid-auth-mode = clid-first in the MAX TNT, I modify the config file like that Handler Called-Station-Id = AuthBy FILE Filename /etc/users AddToReply Service-Type=Framed-User,Framed-Protocol=PPP /AuthBy /Handler and in /etc/users, I set yyy Password = Ascend-CLID Ascend-Require-Auth = Require-Auth, as I have set Require-Auth in the users file, but whatever I type in the users file, it can let me in anyone have suggestion for me ?? thanks regards, ++ +Billy Li+ ++ +System Engineer + +Unitech Computer System Ltd.+ ++ + mailto:[EMAIL PROTECTED] + ++ === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler Question
I am trying to use a handler to check NAS-IP-Address for more than system. It would be something like this. It is quite a big handler and I have to have multiple copies since they are exactly the same. Is this possible? Any help would be great. Handler NAS-IP-Address=XXX.XXX.XXX.XXX,NAS-IP-Address=XXX.XXX.XXX.XXX /Handler Thanks, Eric Lackey ISDN-Net Operations [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
FW: (RADIATOR) Handler Question
My first email might have been a little confusing. Here is what I meant to say. I am trying to use a handler to check NAS-IP-Address for more than one system. It is quite a big handler and I hate to have multiple copies since they are exactly the same. Is this possible? Any help would be great. This is what I tried, but it doesn't seem to work. Handler NAS-IP-Address=XXX.XXX.XXX.XXX,NAS-IP-Address=XXX.XXX.XXX.XXX /Handler Thanks, Eric Lackey ISDN-Net Operations [EMAIL PROTECTED] -Original Message- From: Eric Lackey [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 29, 2001 5:54 PM To: '[EMAIL PROTECTED]' Subject: (RADIATOR) Handler Question I am trying to use a handler to check NAS-IP-Address for more than system. It would be something like this. It is quite a big handler and I have to have multiple copies since they are exactly the same. Is this possible? Any help would be great. Handler NAS-IP-Address=XXX.XXX.XXX.XXX,NAS-IP-Address=XXX.XXX.XXX.XXX /Handler Thanks, Eric Lackey ISDN-Net Operations [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: FW: (RADIATOR) Handler Question
Hello Eric - You would use a regular expression, something like this: Handler NAS-IP-Address=/XXX.XXX.XXX.XXX|yyy.yyy.yyy.yyy|zzz.zzz.zzz.zzz/ See section 13 in the Radiator 2.18.1 reference manual. Otherwise, you can use Identifiers in your Client clauses to create groups (the same Identifier in each Client in the group) and then use this: Handler Client-Identifier = You can also set up your AuthBy's like this, and refer to them in your Handler(s): AuthBy . Identifier DoSomething . /AuthBy AuthBy . Identifier DoSomethingElse . /AuthBy AuthBy GROUP Identifier DoWhatever AuthByPolicy ContinueUntilAccept # or whatever AuthBy DoSomething AuthBy DoSomethingElse /AuthBy Handler ... AuthBy DoWhatever .. /Handler hth Hugh On Monday 30 April 2001 11:42, Eric Lackey wrote: My first email might have been a little confusing. Here is what I meant to say. I am trying to use a handler to check NAS-IP-Address for more than one system. It is quite a big handler and I hate to have multiple copies since they are exactly the same. Is this possible? Any help would be great. This is what I tried, but it doesn't seem to work. Handler NAS-IP-Address=XXX.XXX.XXX.XXX,NAS-IP-Address=XXX.XXX.XXX.XXX /Handler Thanks, Eric Lackey ISDN-Net Operations [EMAIL PROTECTED] -Original Message- From: Eric Lackey [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 29, 2001 5:54 PM To: '[EMAIL PROTECTED]' Subject: (RADIATOR) Handler Question I am trying to use a handler to check NAS-IP-Address for more than system. It would be something like this. It is quite a big handler and I have to have multiple copies since they are exactly the same. Is this possible? Any help would be great. Handler NAS-IP-Address=XXX.XXX.XXX.XXX,NAS-IP-Address=XXX.XXX.XXX.XXX /Handler Thanks, Eric Lackey ISDN-Net Operations [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: FW: (RADIATOR) Handler Question
Thanks Hugh. That is exactly what I needed. I think the Client list is the best solution. Eric -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 29, 2001 9:12 PM To: Eric Lackey; '[EMAIL PROTECTED]' Subject: Re: FW: (RADIATOR) Handler Question Hello Eric - You would use a regular expression, something like this: Handler NAS-IP-Address=/XXX.XXX.XXX.XXX|yyy.yyy.yyy.yyy|zzz.zzz.zzz.zzz/ See section 13 in the Radiator 2.18.1 reference manual. Otherwise, you can use Identifiers in your Client clauses to create groups (the same Identifier in each Client in the group) and then use this: Handler Client-Identifier = You can also set up your AuthBy's like this, and refer to them in your Handler(s): AuthBy . Identifier DoSomething . /AuthBy AuthBy . Identifier DoSomethingElse . /AuthBy AuthBy GROUP Identifier DoWhatever AuthByPolicy ContinueUntilAccept # or whatever AuthBy DoSomething AuthBy DoSomethingElse /AuthBy Handler ... AuthBy DoWhatever .. /Handler hth Hugh On Monday 30 April 2001 11:42, Eric Lackey wrote: My first email might have been a little confusing. Here is what I meant to say. I am trying to use a handler to check NAS-IP-Address for more than one system. It is quite a big handler and I hate to have multiple copies since they are exactly the same. Is this possible? Any help would be great. This is what I tried, but it doesn't seem to work. Handler NAS-IP-Address=XXX.XXX.XXX.XXX,NAS-IP-Address=XXX.XXX.XXX.XXX /Handler Thanks, Eric Lackey ISDN-Net Operations [EMAIL PROTECTED] -Original Message- From: Eric Lackey [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 29, 2001 5:54 PM To: '[EMAIL PROTECTED]' Subject: (RADIATOR) Handler Question I am trying to use a handler to check NAS-IP-Address for more than system. It would be something like this. It is quite a big handler and I have to have multiple copies since they are exactly the same. Is this possible? Any help would be great. Handler NAS-IP-Address=XXX.XXX.XXX.XXX,NAS-IP-Address=XXX.XXX.XXX.XXX /Handler Thanks, Eric Lackey ISDN-Net Operations [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler for attribute present
What is the best way to write a Handler for requests containing a particular attribute, regardless of its value? Like Handler attribute-x=/*/ Any suggestions? /Ingvar === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler Problem.
*This message was transferred with a trial version of CommuniGate(tm) Pro* Hi folks. I have a little problem and I wonder some can help me. I have here Radiator 2.14 with mSQL database to authenticate dial-up users. Now I want to make roaming with another ISP, so I added the handler for this into my radius config. This is what I have now Trace 4 DbDir /usr/local/etc/raddb/db LogDir /usr/local/etc/raddb/log LogFile /usr/local/etc/raddb/log/Radiator.log DictionaryFile /usr/local/etc/dictionary.usr SnmpgetProg /usr/local/bin/snmpget Client 209.239.95.19 Secret NasType TotalControlSNMP SNMPCommunity public /Client SessionDatabase SQL Identifier SDB1 DBSource dbi:mSQL:radius DBUsername DBAuth /SessionDatabase Handler Realm = another_isp.com RewriteUsername s/^([^@]+).*/$1/ AuthBy RADIUS Host aaa.bbb.ccc.ddd Secret RetryTimeout 20 /AuthBy AcctLogFileName %L/another_isp.acct /Handler Handler User-Name = unauthenticated AuthBy SQL DBSource dbi:mSQL:noauth DBUsername x DBAuth yy AccountingStopsOnly AccountingTableACCOUNTING AcctColumnDef CALLINGSTID,Calling-Station-Id,string AcctColumnDef CALLEDSTID,Called-Station-Id,string AcctColumnDef ACCTTERMCAUSE,Acct-Terminate-Cause,intege AcctColumnDef CONNTERMCAUSE,Connect-Term-Reason,integer AcctColumnDef FAILCONNREASON,Failure-to-Connect-Reason,integer AcctColumnDef DISCONNREASON,Disconnect-Reason,integer AcctColumnDef CONNECTSPEED,Connect-Speed,integer AcctColumnDef SERVICETYPE,Service-Type,integer AcctColumnDef MODULATYPE,Modulation-Type,integer /AuthBy /Handler Handler SessionDatabase SDB1 AuthBy SQL DefaultSimultaneousUse 1 DBSource dbi:mSQL:radius DBUsername xx DBAuth yyy AuthSelect select PASSWORD,CHECKATTR,REPLYATTR \ from SUBSCRIBERS where USERNAME = '%n' and STATUS=1 AccountingStopsOnly AccountingTableACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer AcctColumnDef ACCTCONNECTSPEED,Connect-Speed,integer AcctColumnDef ACCTCALLINGSTATIONID,Calling-Station-Id,string AcctColumnDef ACCTCALLEDSTATIONID,Called-Station-Id,string /AuthBy AcctLogFileName %L/%c PasswordLogFileName %L/password.log /Handler Both the my users and the users from another_isp.com can authenticate, but my own users can't connect the usual way, so they had to use the terminal window before dialing (in win 9x), to get connected. Why is this happening? Thanks! -- Sergio Gonzalez Director Operativo. Node Chief Skynet de Colombia S.A. (57) (+1) 6422 020 Santa FE de BogotA, Colombia, South AmErica === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Handler Problem.
Hello Sergio - On Tue, 19 Sep 2000, Sergio Gonzalez wrote: *This message was transferred with a trial version of CommuniGate(tm) Pro* Hi folks. I have a little problem and I wonder some can help me. I have here Radiator 2.14 with mSQL database to authenticate dial-up users. Now I want to make roaming with another ISP, so I added the handler for this into my radius config. This is what I have now Trace 4 DbDir /usr/local/etc/raddb/db LogDir /usr/local/etc/raddb/log LogFile /usr/local/etc/raddb/log/Radiator.log DictionaryFile /usr/local/etc/dictionary.usr SnmpgetProg /usr/local/bin/snmpget Client 209.239.95.19 Secret NasType TotalControlSNMP SNMPCommunity public /Client SessionDatabase SQL Identifier SDB1 DBSource dbi:mSQL:radius DBUsername DBAuth /SessionDatabase Handler Realm = another_isp.com RewriteUsername s/^([^@]+).*/$1/ AuthBy RADIUS Host aaa.bbb.ccc.ddd Secret RetryTimeout 20 /AuthBy AcctLogFileName %L/another_isp.acct /Handler Handler User-Name = unauthenticated AuthBy SQL DBSource dbi:mSQL:noauth DBUsername x DBAuth yy AccountingStopsOnly AccountingTableACCOUNTING AcctColumnDef CALLINGSTID,Calling-Station-Id,string AcctColumnDef CALLEDSTID,Called-Station-Id,string AcctColumnDef ACCTTERMCAUSE,Acct-Terminate-Cause,intege AcctColumnDef CONNTERMCAUSE,Connect-Term-Reason,integer AcctColumnDef FAILCONNREASON,Failure-to-Connect-Reason,integer AcctColumnDef DISCONNREASON,Disconnect-Reason,integer AcctColumnDef CONNECTSPEED,Connect-Speed,integer AcctColumnDef SERVICETYPE,Service-Type,integer AcctColumnDef MODULATYPE,Modulation-Type,integer /AuthBy /Handler Handler SessionDatabase SDB1 AuthBy SQL DefaultSimultaneousUse 1 DBSource dbi:mSQL:radius DBUsername xx DBAuth yyy AuthSelect select PASSWORD,CHECKATTR,REPLYATTR \ from SUBSCRIBERS where USERNAME = '%n' and STATUS=1 AccountingStopsOnly AccountingTableACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer AcctColumnDef ACCTCONNECTSPEED,Connect-Speed,integer AcctColumnDef ACCTCALLINGSTATIONID,Calling-Station-Id,string AcctColumnDef ACCTCALLEDSTATIONID,Called-Station-Id,string /AuthBy AcctLogFileName %L/%c PasswordLogFileName %L/password.log /Handler Both the my users and the users from another_isp.com can authenticate, but my own users can't connect the usual way, so they had to use the terminal window before dialing (in win 9x), to get connected. Why is this happening? I will need to see a trace 4 debug showing what is happening. thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Handler for a set of realms
Hello Andrew - On Thu, 07 Sep 2000, Andrew Pollock wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Hugh Irvine Sent: Tuesday, September 05, 2000 2:14 PM To: Andrew Pollock; [EMAIL PROTECTED] Subject: Re: (RADIATOR) Handler for a "set of realms" Hello Andrew - On Tue, 05 Sep 2000, Andrew Pollock wrote: Hi, Is it currently possible with Radiator to readily have a handler that checks for the realm being in a set of realms? The reason I ask is we have a system here that can theoretically add additional realms that require to be handled at any point in time, and it would be ideal if Radiator could read this from an external file. I think you will have to use a PreHandlerHook to check your file, and perhaps set a pseudo-attribute in the request packet that will be used to select the Handler. There are some examples of hooks in the file "goodies/hooks.txt" in the Radiator 2.16.3 release (also included in all recent releases). hth Cool, thanks Hugh. Do you know how I might go about cacheing this file instead of opening it and reading it evertime the hook executes? It depends on how complex the data is, but the simplest approach is to use the GlobalVar constructs. The first two examples in "goodies/hooks.txt" show how to do it. The first hook is a StartupHook which reads the file and initialises the GlobalVar's, while the second hook uses the GlobalVar data to manipulate the packet contents. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler for a set of realms
Hi, Is it currently possible with Radiator to readily have a handler that checks for the realm being in a set of realms? The reason I ask is we have a system here that can theoretically add additional realms that require to be handled at any point in time, and it would be ideal if Radiator could read this from an external file. Hope this makes sense. Andrew === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Handler for a set of realms
Hello Andrew - On Tue, 05 Sep 2000, Andrew Pollock wrote: Hi, Is it currently possible with Radiator to readily have a handler that checks for the realm being in a set of realms? The reason I ask is we have a system here that can theoretically add additional realms that require to be handled at any point in time, and it would be ideal if Radiator could read this from an external file. I think you will have to use a PreHandlerHook to check your file, and perhaps set a pseudo-attribute in the request packet that will be used to select the Handler. There are some examples of hooks in the file "goodies/hooks.txt" in the Radiator 2.16.3 release (also included in all recent releases). hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler
Hi, Because we get garbage usernames, i've used the handler bit in the config file (see below): Handler User-Name = /\\x/ AuthBy FILE Filename %D/reject-users /AuthBy /Handler Handler AuthByPolicy ContinueWhileIgnore RewriteUsername tr/A-Z/a-z/ AuthBy LDAP2 Hosthostname AuthDN cn=radius,o=WISH, c=NL BaseDN o=WISH, c=NL AuthPasswordencrypted UsernameAttruid PasswordAttruserPassword AddToReply Service-Type = Framed-User,\ Framed-Protocol = PPP,\ Framed-IP-Address = 255.255.255.254,\ Framed-MTU = 1500,\ Primary-DNS-Server= 212.123.129.68, \ Secondary-DNS-Server= 212.123.128.16 /AuthBy AuthBy LDAP2 Hosthostname AuthDN cn=radius,o=WISH, c=NL BaseDN o=WISH, c=NL AuthPasswordencrypted UsernameAttruid PasswordAttruserPassword AddToReply Service-Type = Framed-User,\ Framed-Protocol = PPP,\ Framed-IP-Address = 255.255.255.254,\ Framed-MTU = 1500,\ Primary-DNS-Server= 212.123.129.68, \ Secondary-DNS-Server= 212.123.128.16 /AuthBy /Handler Only the first handler doesn't work realy. Here is a dump: *** Received from 195.7.137.163 port 1812 Code: Access-Request Identifier: 21 Authentic: 4t18026252168t177148196f\10,20611 Attributes: User-Name = "1631381881431592352421595176177 o177X22721913015725322324422681561706 2178%228?201141W23728135NssSB135165w147iv138$244z140O255134L152150247209_191224112 160.140239255197241168190147J203223216254239205255229227155201:210154247T2282022 1[218185/(4168|252255|234139P23015011134231239255230131161728y30,$210~230254237n 235i16826X252239255K29176135K139185N2031626cx144%254206254188225iT208" User-Password = 210;=220139O164a|203176227AT172432m 1452051541371372Z15515730YN11B281 97173320421SJ160O221424{)190L173223)9y152199Kq204234184179)u220K156d*18v144150148 "192172152`3163167205130177133224180229715254147 NAS-IP-Address = 195.7.137.163 NAS-Port = 1299 Acct-Session-Id = "85066624" Interface-Index = 2555 Supports-Tags = 0 Service-Type = Login Chassis-Call-Slot = 6 Chassis-Call-Span = 1 Chassis-Call-Channel = 19 Connect-Speed = NONE Calling-Station-Id = "0478631728" Called-Station-Id = "" NAS-Port-Type = Async Wed Feb 9 18:22:39 2000: DEBUG: Check if Handler User-Name = /\\x/ should be used to handle this request Wed Feb 9 18:22:39 2000: DEBUG: Check if Handler should be used to handle this request Wed Feb 9 18:22:39 2000: DEBUG: Handling request with Handler '' Wed Feb 9 18:22:39 2000: DEBUG: Rewrote user name to \xa3\x8a\xbc\x8f\x9f\xeb\xf2\x9f5\xb0\xb1 o\xb1x\xe3\xdb\x82\x9d\xfd\xdf\xf4\x e28\x9c\xaa6^B\xb2%\xe4?\xc9\x8dw\xed^\\x87nsssb\x87\xa5w\x93iv\x8a$\xf4z\x8co\xff\x86l\x98\x96\xf7\xd1_^S^L\xf1^L\xa0.\x8c\xef\x ff\xc5\xf1\xa8\xbe\x93j\xcb\xdf\xd8\xfe\xef\xcd\xff\xe5\xe3\x9b\xc9:\xd2\x9a\xf7t\xe4^T\xdd[\xda\xb9/(^D\xa8|\xfc\xff|\xea\x8bp\xe6\ x96^K\x86\xe7\xef\xff\xe6\x83\xa1^G^\y^^,$\xd2~\xe6\xfe\xedn\xebi\xa8^Zx\xfc\xef\xffk^]\xb0\x87k\x8b\xb9n\xcb\xa26cx\x90%\xfe\xce\xf e\xbc\xe1it\xd0 Wed Feb 9 18:22:39 2000: DEBUG: Deleting session for \xa3\x8a\xbc\x8f\x9f\xeb\xf2\x9f5\xb0\xb1 o\xb1X\xe3\xdb\x82\x9d\xfd\xdf\xf4\ xe28\x9c\xaa6^B\xb2%\xe4?\xc9\x8dW\xed^\\x87NssSB\x87\xa5w\x93iv\x8a$\xf4z\x8cO\xff\x86L\x98\x96\xf7\xd1_^S^L\xf1^L\xa0.\x8c\xef\ xff\xc5\xf1\xa8\xbe\x93J\xcb\xdf\xd8\xfe\xef\xcd\xff\xe5\xe3\x9b\xc9:\xd2\x9a\xf7T\xe4^T\xdd[\xda\xb9/(^D\xa8|\xfc\xff|\xea\x8bP\xe6 \x96^K\x86\xe7\xef\xff\xe6\x83\xa1^G^\y^^,$\xd2~\xe6\xfe\xedn\xebi\xa8^ZX\xfc\xef\xffK^]\xb0\x87K\x8b\xb9N\xcb\xa26cx\x90%\xfe\xce\x fe\xbc\xe1iT\xd0, 195.7.137.163, 1299 Wed Feb 9 18:22:39 2000: DEBUG: Handling with Radius::AuthLDAP2 Wed Feb 9 18:22:39 2000: DEBUG: Connecting to lrad.inside.servers, port 389 Wed Feb 9 18:25:11 2000: DEBUG: Reading users file /etc/raddb/reject-users Wed Feb 9 18:25:12 2000: INFO: Server started It says that it is reading the /etc/raddb/reject-users, but also you see that he tries to contact the ldap server.. Why? Owya, this is what the reject-users file contains: DEFAULT Auth-Type = Reject -- Regards, Robin Gruyters - SYS/B.O.F.H. - [EMAIL PROTECTED] - http://www.phear.nl RIPE nic-hdl: RG3771-RIPE http://www.ripe.net/cgi-bin/whois?AS9133 WISH Worldwide Websites B.V. PGP key ID DEB8C991 Tel: +31(0)413242500 - Fax: +31(0)413332281 - http://www.wish.net/ -- System
(RADIATOR) Handler question
Hello! Is it possible to invert the result of "attribute=value" clause in Handler tag? I mean, is it possible to use something like Handler NAS-IP-Address=192.168.0.1, Realm != global ? -- Regards, Dmitry Niqiforoff [tel. +7 8462 427427] Kraft-S, JSC. Samara, Russia === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Handler Realm=x,Called-Station-Id=y
Hi Neale - On Mon, 08 Nov 1999, Neale Banks wrote: 8 *** Received from 1.2.3.4 port 1645 Code: Access-Request Identifier: 224 Authentic: q2137222187204z`178134m19123u Attributes: NAS-IP-Address = 1.2.3.4 NAS-Port = 209 NAS-Port-Type = Async User-Name = "neale2" Called-Station-Id = "12345601" Calling-Station-Id = "365432100" User-Password = "1412192307(oeMJ@208181160132" Service-Type = Framed-User Framed-Protocol = PPP Mon Nov 8 17:50:02 1999: DEBUG: Handling request with Handler 'Realm=example.net.au' Mon Nov 8 17:50:02 1999: DEBUG: Handling with Radius::AuthFILE Mon Nov 8 17:50:02 1999: DEBUG: Radius::AuthFILE looks for match with neale2 Mon Nov 8 17:50:02 1999: DEBUG: Radius::AuthFILE ACCEPT: Mon Nov 8 17:50:02 1999: DEBUG: Access accepted for neale2 8 H - what version of Radiator are you running? Radiator 2.13.1 had a fix for Handler.pm choosing the wrong handler. And could you send me a copy of your configuration file (no secrets)? I don't understand how you can be executing Handler Realm=example.net.au with a username of "neale2". Doesn't make sense, does it? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Handler Realm=x,Called-Station-Id=y
Hi Hugh, H - what version of Radiator are you running? Radiator 2.13.1 had a fix for Handler.pm choosing the wrong handler. And could you send me a copy of your configuration file (no secrets)? I don't understand how you can be executing Handler Realm=example.net.au with a username of "neale2". Doesn't make sense, does it? Well spotted - I am still running 2.13.1. That will teach me not to check the updates first :-( How about I load the updated Handler.pm and try that? Thanks, Neale. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) handler regex question
Hello Aaron - On Thu, 05 Aug 1999, Aaron Holtz wrote: I seem to be getting some accounting records from my Ascends that do not include the User-Name attribute (I think they are dropped connections or some type of report from the Ascend.) I have my handlers setup to only take requests from usernames that are valid as I seem to get a lot of "garbage" requests from misbehaving units and I don't want to even parse them. But I would like to log the Ascend logs that come in, but they never match any handler I have as no User-Name attribute is in there. What I'd like to do is create a handler that works with these records. Will the following make a match on a request where NO User-Name attribute is sent or will it only match a User-Name attribute that exists, but is empty? Handler Realm="", User-Name="" /Handler I can't seem to find another attribute in the record that is unique to it and isn't included in a "good" looking accounting request. Any thoughts are appreciated on how I can handle these. I would be inclined to put an empty Handler after all your other Handlers (note that Handlers are checked sequentially until there is a match): # This will catch anything else after all other Handlers are checked Handler /Handler -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler Problem
I can't seem to get this handler to work correctly. Here is the output of my log file. You will see that even though a user isn't dialing into one of the numbers that is specified in the "Called-Station-Id" attribute he is being authenticated by this Handler any ideas? Help Brandon Attached is my current radius.cfg file. *** Received from 206.15.168.72 port 47149 Code: Access-Request Identifier: 11 Authentic: 31243"252.249s8163Hk21{227v Attributes: User-Name = "usa1001@usa" User-Password = "J]196031oXz"232ERt1398" NAS-IP-Address = 209.206.34.54 NAS-Port = 39 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 209.206.33.16 Called-Station-Id = "2068128787" Calling-Station-Id = "2063671148" NAS-Port-Type = Async Annex-Transmit-Speed = 4 Connect-Info = "4 24000 V.90" Signature = "21n233u2115137$1883145e170217238V" Annex-Receive-Speed = 24000 Wed May 12 07:22:18 1999: DEBUG: Check if Handler User-Name=/\@dual/,Framed-IP-A ddress=/^206\.15\.|^208\.196\.|^209\.206\./ should be used to handle this reques t Wed May 12 07:22:18 1999: DEBUG: Check if Handler User-Name=/\@safeusa|\@kidscon nect/,Framed-IP-Address=/^206\.15\.|^208\.196\.|^209\.206\./ should be used to h andle this request Wed May 12 07:22:18 1999: DEBUG: Check if Handler Called-Station-Id = /|2020|885 9810|9759810|9499810|8739810|9449810|9259810|9209810|2378018|2368018|2252255 |250 2255|3252255|3082255|9268063|9268064|9268018|9498019|3429810|4919810|2959810 |478 2255|9680468|7550755|3640364|7780778|2960296|3480348|/ should be used to handle this request Wed May 12 07:22:18 1999: DEBUG: Handling request with Handler 'Called-Station-I d = /|2020|8859810|9759810|9499810|8739810|9449810|9259810|9209810|2378018|23680 18|2252255|2502255|3252255|3082255|9268063|9268064|9268018|9498019|3429810|4 9198 10|2959810|4782255|9680468|7550755|3640364|7780778|2960296|3480348|/' Wed May 12 07:22:18 1999: DEBUG: Handling with Radius::AuthUNIX Wed May 12 07:22:18 1999: DEBUG: Radius::AuthUNIX looks for match with usa1001@u sa Wed May 12 07:22:18 1999: DEBUG: Radius::AuthUNIX ACCEPT: Wed May 12 07:22:18 1999: DEBUG: Access accepted for usa1001@usa Wed May 12 07:22:18 1999: DEBUG: Packet dump: *** Sending to 206.15.168.72 port 47149 Code: Access-Accept Identifier: 11 Authentic: 31243"252.249s8163Hk21{227v Attributes: Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Idle-Timeout = 900 Session-Timeout = 28800 radius.cfg
Re: (RADIATOR) Handler vs Realm
Hi Ferhat. Looks like maybe you are having some trouble with Handlers V Realms? Radiator has a particular way of choosing which Handler or Realm to use to handle a request. From the manual: -Look for a Realm with an exact match on the realm name -If still no exact match, look for a a matching regular expression Realm -If still no match, look for a Realm DEFAULT -If still no match, look at each Handler in turn until one where all the check items match the request. -If still no match, ignore (i.e. do not reply to) the request. Some consequences of this: - Realms have much higher priority than Handlers - If you have a Realm DEFAULT, no Handlers will _ever_ fire. - If you have a Handler with no match specifier, (ie Handler) then no Handlers that follow it in the config file will _ever_ fire. We usually advise not to mix Realms and Handlers in the same config file, as you end up with configs that are difficult to understand. Hope that helps Cheers. On May 6, 3:58pm, Ferhat Dilman wrote: Subject: (RADIATOR) Handler vs Realm [ Attachment (text/plain): 2398 bytes Character set: iso-8859-9 ] [ Attachment (application/octet-stream): "radius.cfg" 5267 bytes ] [ Attachment (application/octet-stream): "handler.cfg" 5299 bytes ] -- End of excerpt from Ferhat Dilman -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Handler Realm=x,Called-Station-Id=y
For some reason, I can't get this to be prefered over Handler Realm=x Summarising the config file: --8-- Client foo Secret secret DefaultRealm example.com /Client Client bar Secret secret DefaultRealm example.com /Client Handler Realm=example.com,Called-Station-Id="12345601" AuthBy FILE Filename %D/users AddToReply cisco-avpair="ip:addr_pool=second_pool" /AuthBy /Handler Handler Realm=example.com AuthBy FILE Filename %D/users /AuthBy /Handler # placeholder for AuthBy UNIX... Realm DummyForUnix AuthBy UNIX Identifier System Filename /etc/shadow /AuthBy /Realm --8-- The general idea is that the AddToReply (specifying a non-default address-pool) will be invoked by calling with the last two digits being 01 (the NAS has PRIs with a 100-group of indial numbers). Unfortunately, this doesn't sem to work (Radiator 2.13.1). From the log: --8-- *** Received from foo port 1645 Code: Access-Request [...] Attributes: [...] User-Name = "neale2" Called-Station-Id = "12345601" [...] Fri Nov 5 18:44:56 1999: DEBUG: Handling request with Handler 'Realm=example.com' [...] Code: Access-Accept [...] Attributes: [...] abscence of AddToReply items, all else as expected/desired --8-- My reading of the docs is that Radiator will search the Handlers _in order_ until it finds one that matches, hence my putting Handler Realm=example.com,Called-Station-Id="12345601" before Handler Realm=example.com. However, we appear to always be falling through to Handler Realm=example.com. Any ideas/hints? Thanks, Neale. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Handler Realm=x,Called-Station-Id=y
Hello Neale - On Fri, 05 Nov 1999, Neale Banks wrote: For some reason, I can't get this to be prefered over Handler Realm=x Summarising the config file: Handler Realm=example.com,Called-Station-Id="12345601" AuthBy FILE Filename %D/users AddToReply cisco-avpair="ip:addr_pool=second_pool" /AuthBy /Handler I would be very interested to see if the Called-Station-Id fired if used on its own. Ie - is it the Realm that is failing, or is it the Called-Station-Id? Could you try a test with just this: Handler Called-Station-ID = 12345601 AuthBy FILE /AuthBy /Handler --8-- The general idea is that the AddToReply (specifying a non-default address-pool) will be invoked by calling with the last two digits being 01 (the NAS has PRIs with a 100-group of indial numbers). Understood. Unfortunately, this doesn't sem to work (Radiator 2.13.1). From the log: --8-- *** Received from foo port 1645 Code: Access-Request [...] Attributes: [...] User-Name = "neale2" Called-Station-Id = "12345601" [...] Fri Nov 5 18:44:56 1999: DEBUG: Handling request with Handler 'Realm=example.com' [...] Code: Access-Accept [...] Attributes: [...] abscence of AddToReply items, all else as expected/desired --8-- Could you also include a complete log file with the test above? My reading of the docs is that Radiator will search the Handlers _in order_ until it finds one that matches, hence my putting Handler Realm=example.com,Called-Station-Id="12345601" before Handler Realm=example.com. However, we appear to always be falling through to Handler Realm=example.com. What you expect should be what is happening. Please try the simple Handler above and send me the results. cheers Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.